Computer security method and system with input parameter validation

ABSTRACT

A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.

PRIORITY REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of assignee's pending U.S.application Ser. No. 11/354,893, filed on Feb. 16, 2006 entitled SYSTEMAND METHOD FOR ENFORCING A SECURITY CONTEXT ON A DOWNLOADABLE.

FIELD OF THE INVENTION

The field of the present invention is computer security.

BACKGROUND OF THE INVENTION

Computer security software and hardware are used to inspectdownloadables, to determine if they are malicious. The term“downloadable” refers generally to an executable application program,which is downloaded from a source computer and run on a destinationcomputer. There are many different types of malicious downloadables,including malware, phishing, spyware, Trojan horses, viruses and worms.Malicious downloadables often enter an internal computer network from anexternal network, and infect all or most of the computers in theinternal network once they break in. As such, computer security systemsoften employ gateway computers to scan and filter incomingdownloadables.

Scanning downloadables at a gateway computer may be performed by runningthe programs; however, running the programs on the gateway computerinstead of on the computer in the internal network for which theprograms are intended, may result in the gateway computer failing todetect exploits in the downloadables.

Scanning downloadables at a gateway computer may also be performed byanalyzing the programs. Assignee's U.S. Pat. No. 6,092,194 describessuch a gateway security system.

When analyzing downloadables, scanners generally search for computeroperations that are potentially suspicious. For example, if a suspectdownloadable invokes a function call that writes to a file system oropens a network connection or changes a registry entry, such behaviorraises a warning flag for potentially malicious activity. A securitysystem may block a downloadable from reaching an internal network if thedownloadable includes a suspicious computer operation. However, mostnon-malicious downloadables use these same computer operations in aninnocuous way, and such a security system may block both good and baddownloadables from reaching the internal network.

Consider, for example, a function that deletes a file in the filesystem. Many safe programs, such as software installation programs,generate temporary files during execution, and delete the temporaryfiles upon completion. However, a malicious program may delete criticaloperating system files. A security system that blocks downloadableswhich invoke a function to delete a file would block safe downloadablesin addition to the malicious ones.

Consider, for example, a downloadable that includes the following simpleJavaScript source code:

<SCRIPT LANGUAGE=“JavaScript”>   var b = newActiveXObject(“Msxml2.XMLHTTP”);   exploit data =“SSSSSSSSSSSSSSSSSSSSSS exploit”;   b.setRequestHeader(exploit data);</SCRIPT>This source code initiates a new Msxml2.XMLHTTP ActiveX object, andinvokes the object's method setRequestHeader( ). An Msxml2.XMLHTTPobject is a standard object built into the Microsoft XML parser. TheMsxml2.XMLHTTP object is an important part of the Ajax web developmenttechnique, and is used to implement responsive and dynamic webapplications. It is used on a client side web page to grab informationfrom the server, process it, and use the information on the current webpage (as opposed to having to reload a web page).

The method setRequestHeader( ) is generally a safe function that simplyadds an HTTP header to a request. The following code snippet shows howsetRequestHeader( ) is used, for example, to set the HTTP Content-Typeheader to ‘text/xml’ before sending a request body.

var oReq = new XMLHttpRequest( ); oReq.open(“POST”, sURL, false);oReq.setRequestHeader(CONTENT, “text/xml”); oReq.send(sRequestBody);As such, the example JavaScript above appears innocuous.

However, the input parameter to setRequestHeader( ) in the exampleJavaScript code above is only evaluated at run-time, and a code exploitmay be triggered in the process of evaluating the input parameter. Moregenerally, input parameters to function calls, even for safe functions,are potential hiding places for code exploits. Since input parametersmay only be determined at run-time, such code exploits may go undetectedwhen scanning downloadables.

It would thus be of advantage for a security system to be able tovalidate input parameters that are evaluated at run-time. It would be offurther advantage for a security system to be able to determine if agiven input parameter will exploit a non-malicious function, prior toactually executing the non-malicious function with the given inputparameter.

SUMMARY OF THE DESCRIPTION

Aspects of the present invention relate to a computer security methodand system that validates input parameters to computer operations whenscanning a suspect downloadable. In one embodiment, the presentinvention overwrites suspicious computer operations, and appends specialmonitoring code to the suspect downloadable that, when invoked,validates input parameters to computer operations.

The present invention may be embodied at a gateway computer, at a servercomputer, or at a client computer.

There is thus provided in accordance with an embodiment of the presentinvention a method for identifying suspicious downloadables, includingreceiving a downloadable, scanning the downloadable to identifysuspicious computer operations therein, and if at least one suspiciouscomputer operation is identified, then overwriting the suspiciouscomputer operations with substitute computer operations, and appendingmonitoring program code to the downloadable thereby generating amodified downloadable, wherein the monitoring program code includesprogram instructions for validating input parameters for the suspiciouscomputer operations during run-time of the downloadable.

There is additionally provided in accordance with an embodiment of thepresent invention a computer security system, including a receiver forreceiving a downloadable, a scanner, coupled with the receiver, forscanning the downloadable to identify suspicious computer operationstherein, a code modifier, coupled with the scanner, for overwriting thesuspicious computer operations with substitute computer operations, ifat least one suspicious computer operation is identified by the scanner,and for appending monitoring program code to the downloadable therebygenerating a modified downloadable, if at least one suspicious computeroperation is identified by the scanner, and a processor, coupled withthe code modifier, for executing programmed instructions, wherein themonitoring program code includes program instructions for the processorto validate input parameters for the suspicious computer operationsduring run-time of the downloadable.

There is further provided in accordance with an embodiment of thepresent invention a method for identifying suspicious downloadables,including receiving a downloadable, and appending monitoring programcode to the downloadable thereby generating a modified downloadable,wherein the monitoring program code includes program instructions foridentifying suspicious computer operations during run-time of thedownloadable, for overwriting the suspicious computer operations withsubstitute computer operations during run-time of the downloadable, andfor validating input parameters for the suspicious operations duringrun-time of the downloadable.

There is yet further provided in accordance with an embodiment of thepresent invention a computer security system, including a receiver forreceiving a downloadable, a code modifier, coupled with the scanner, forappending monitoring program code to the downloadable thereby generatinga modified downloadable, and a processor, coupled with the codemodifier, for executing programmed instructions, wherein the monitoringprogram code includes program instructions for the processor to identifysuspicious computer operations during run-time of the downloadable, tooverwrite the suspicious computer operations with substitute computeroperations during run-time of the downloadable, and to validate inputparameters for the suspicious computer operations during run time of thedownloadable.

There is moreover provided in accordance with an embodiment of thepresent invention a method for identifying suspicious downloadables,including scanning a downloadable to detect the presence of at least onesuspicious computer operation, dynamically generating during run-time ofthe downloadable at least one input parameter for the at least onesuspicious computer operation detected by the scanning, and determiningwhether or not the dynamically generated at least one input parametercorresponds to a safe input parameter for the at least one suspiciouscomputer operation.

There is additionally provided in accordance with an embodiment of thepresent invention a computer security system, including a scanner forscanning a downloadable to detect the presence of at least onesuspicious computer operation, and a processor that executes programmedinstructions for dynamically generating during run-time of thedownloadable at least one input parameter for the at least onesuspicious computer operation detected by the scanner, and fordetermining whether or not the dynamically generated at least one inputparameter corresponds to a safe input parameter for the at least onesuspicious computer operation.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be more fully understood and appreciated fromthe following detailed description, taken in conjunction with thedrawings in which:

FIG. 1 is a simplified block diagram of a computer security system withinput parameter validation, in accordance with an embodiment of thepresent invention;

FIG. 2 is a method for computer security with input parametervalidation, in accordance with an embodiment of the present invention;and

FIG. 3 is an alternative method for computer security with inputparameter validation, in accordance with an embodiment of the presentinvention.

DETAILED DESCRIPTION

Aspects of the present invention relate to a computer security methodand system that receives as input a downloadable, and detects whether ornot the downloadable is potentially malicious by inter alia validatinginput parameters to computer operations.

Reference is now made to FIG. 1, which is a simplified block diagram ofa computer security system with input parameter validation, inaccordance with an embodiment of the present invention. The embodimentof the security system shown in FIG. 1 includes a gateway computer 100and two destination computers 110. Downloadables transmitted todestination computers 110 first pass through gateway 100.

Downloadables may be inter alia in the form of source code, such asJavaScript, or in the form of complied code, such as Java applets, thatis de-compiled in order to derive its source code.

One of the responsibilities of gateway computer 100 is to run securitychecks on downloadables prior to their reaching destination computers110. If gateway computer 100 identifies a potentially maliciousdownloadable, then it either blocks the downloadable from reachingdestination computers 110, or neutralizes the potentially maliciousportions of the downloadable prior to forwarding the downloadable todestination computers 110.

As shown in FIG. 1, gateway computer 100 includes a processor 120, forexecuting programmed instructions, a receiver 130 for receiving adownloadable in transit to one or both of destination computers 110, anda transmitter 140 for forwarding the received downloadable to one orboth of destination computers 110. Gateway computer 100 further includesa scanner 150, for scanning a downloadable received by receiver 130, anda code modifier 160 for appending special modification code to thedownloadable received by receiver 130.

Generally, scanner 150 inspects downloadable source code for thepresence of suspicious computer operations. If the downloadable is incompiled object code form, the scanner 150 first de-compiles the objectcode to derive downloadable source code therefrom, and then inspects thedownloadable source code for the presence of suspicious operations.

If no suspicious computer operations are detected, then the downloadableis deemed to be safe, and is forwarded to one or both of destinationcomputers 110 via transmitter 140. However, if scanner 150 detects oneor more suspicious computer operations, then processor 120 appendsspecial modification code 170 to the downloadable, thereby generating amodified downloadable. Modification code 170 includes instructions foroverwriting the suspicious computer operations detected by scanner 150,and for validating their input parameters. If all input parameters toall suspicious computer operations are validated, then the downloadableis deemed to be safe, and is forwarded to one or both of destinationcomputers 110. Otherwise, the downloadable is deemed to be potentiallymalicious.

For a downloadable deemed to be potentially malicious, processor 120 mayneutralize the suspicious computer operations by eliminating suchoperations, or by replacing their input parameters with valid inputparameters, and then forwarding the remedied downloadable to one or bothof destination computers 110. Further, processor 120 may first executethe remedied downloadable within a secure environment and inspect theexecution results, prior to forwarding the downloadable. Alternatively,processor 120 may block the downloadable from being forwarded todestination computers 110. Further details of operation of scanner 150and code modifier 160 are provided in the discussion of FIG. 2hereinbelow.

Reference is now made to FIG. 2, which is a method for computer securitywith input parameter validation, in accordance with an embodiment of thepresent invention. In conjunction with FIG. 2, reference is also made tothe following example downloadable, used to supplement the descriptionof various steps in FIG. 2 by way of example.

Original Javascript Source Program Code:

1 <SCRIPT LANGUAGE=“JavaScript”> 2  var b = newActiveXObject(“Msxml2.XMLHTTP”); 3 b.setRequestHeader(“SSSSSSSSSSSSSSSSSSSSSS”); 4 </SCRIPT>

Modified Program Code:

 5 <SCRIPT LANGUAGE=“JavaScript”>  6  VuInAcxStruct=[[“Msxml2.XMLHTTP”,[[‘setRequestHeader’,  7  function( ){allow=[“GET”, “POST”, “HEAD”,“DELETE”,  “PUT”,  8  “CONNECT”,“OPTIONS”]; for(i in allow){if  9 (arguments[0]==allow[i])return;}alert(“malicious!”)}]], [ ]]] 10 11 function makeVuInObjDict(arr) 12  { 13      dict=new Object( ); 14     for(i in arr){ 15        dict[arr[i][0]]=[arr[i][2],arr[i][3]]; 16       dict[arr[i][1]]=[arr[i][2],arr[i][3]]; 17      } 18      returndict; 19  } 20 21  VuIn_Obj_Dict=makeVuInObjDict(VuInAcxStruct); 22 23 function checkAcx(acxId) 24  { 25      if (acxId in VuIn_Obj_Dict){ 26       obj = new Object( ); 27        for(i in VuIn_Obj_Dict[acxId][0])28        { 29          obj[VuIn_Obj_Dict[acxId][0][i][0]] = 30         VuIn_Obj_Dict[acxId][0][i][1]; 31        } 32       obj[‘myID’] = acxId; 33        return obj; 34      } 35     return new Object( ); 36  } 37 38  window.ActiveXObject = checkAcx;39  var b = new ActiveXObject(“Msxml2.XMLHTTP”); 40 b.setRequestHeader(“SSSSSSSSSSSSSSSSSSSSSS”); 41 </SCRIPT>

FIG. 2 begins at step 210, whereat an original downloadable is receivedin transit to one or more destination computers. Referring to theexample JavaScript code hereinabove, the downloadable received at step210 includes lines 1-4. These lines of code cause a browser to create anActiveX object named “Msxml2.XMLHTTP”, and assign the created object tovariable b. The setRequestHeader( ) method of object b is called usingan input parameter “SSSSSSSSSSSSSSSSSSSSSS”. At this stage it is unclearif the input parameter is legitimate for this method, or if it abusesthe method call in a malicious way.

At step 220, the received downloadable is scanned, to detect thepresence of suspicious computer operations. Referring further to theexample code, the function call setRequestHeader( ) is identified asbeing suspicious. In one embodiment of the present invention, adictionary of suspicious operations is accessed and consulted by scanner150, in order to detect which computer operations are potentiallymalicious. Such a dictionary is included in lines 6-9 of the exampleprogram code, as described below with reference to step 270. In analternative embodiment of the present invention, a dictionary ofnon-malicious computer operations is accessed and consulted by scanner150, in order to detect malicious computer operations.

At step 230 a determination is made whether or not suspicious computeroperations have been detected in the downloadable. If not, then thedownloadable is deemed safe and is forwarded to its destination at step240. Otherwise, if one or more suspicious computer operations have beendetected, then at step 250 monitoring program code is appended to theoriginal downloadable. Referring to the example above, the monitoringcode includes lines 11-36, and has two functions; namely,makeVulnDict(Arr) and checkAcx(acxId).

At line 21 the function makeVulnDict( ) is called with array parameterVulnAcxStruct[ ], to build a dictionary, Vuln_Obj_Dict, of potentiallymalicious function calls. As seen at lines 6-9, VulnAcxStruct[ ] is anarray of three-element arrays, each three-element array corresponding toa potentially malicious function. For purposes of clarity, only onethree-element array is defined in lines 6-9, corresponding to the methodsetRequestHeader( ) of object Msxml2.XMLHTTP, but it will be appreciatedby those skilled in the art that additional three-element arrays may bedefined. The first element of the three-element array in VulnAcxStruct[] is the name of the object containing the potentially maliciousfunction; i.e. “Msxml2.XMLHTTP”. The second element of this array is thename of the suspicious method, setRequestHeader( ), together with thefunction to be used for input validation of the method; namely,

function( ) {   allow = [“GET”, “POST”, “HEAD”, “DELETE”, “PUT”,          “CONNECT”, “OPTIONS”];   for (i in allow){     if(arguments[0]==allow[i] return;   }   alert(“malicious!”) }Thus to validate input parameters for the method setRequestHeader( ),the input parameter is matched against six expected non-maliciousparameter values GET, POST, HEAD, DELETE, PUT, CONNECT and OPTIONS. Ifno match is found then an alert is made. It will be appreciated by thoseskilled in the art that the function given above is but one of manymethods for validating input parameters. Other such methods to validateinput parameters and to issue a notification when input parameters arenot validated, are also within the scope of the present invention.

The third element of the three-element array in VulnAcxStruct[ ], shownempty at line 9, is reserved for a definition of vulnerable properties.In summary form, VulnAcxStruct[ ] holds a list of vulnerabilities, wherea “vulnerability” is of the form

[object name, list of [method name, definition], properties].

Referring back to FIG. 2, at step 260 the suspicious computer operationsare overwritten. Referring to the example JavaScript, the over-writingis performed at lines 29 and 30. Specifically, lines 28-31 loop over thelist of [method name, definition] and associate each method name withits corresponding definition.

In addition, at line 38 the function window.ActiveXObject( ) isoverwritten by the function checkAcx( ). As such, instead of invokingActiveXObject( ) during run-time when an ActiveX object is created, thefunction checkAcx( ) is invoked.

Subsequently the modified downloadable is executed. At step 270 theinput parameters for each of the suspicious computer operations arevalidated during run-time. Referring to the example code, the functioncheckAcx( ), defined at lines 23-36, performs the validation.Specifically, if the ActiveX object to be created, as identified byacxId, is listed in the dictionary Vuln_Obj_Dict[ ], then thecorresponding input validation function is performed. If the validationfails, then the call to alert (“malicious!”) is made. Otherwise, thedesired ActiveX object is created and returned. It will be appreciatedby those skilled in the art that other forms of notification of failedvalidation are within the scope of the present invention. For example,checkAcx( ) may generate a warning text message.

For the example provided above, when the input parameter“SSSSSSSSSSSSSSSSSSSSSS” to setRequestHeader( ) is validated, thevalidation fails since the input parameter does not match any of theexpected input parameters GET, POST, HEAD, DELETE, PUT, CONNECT andOPTIONS. If the input parameter to setRequestHeader( ) had instead beenvalid, the desired ActiveX object, Msxml2.XMLHTTP, would have beencreated by checkAcx( ) and returned.

At step 280 a determination is made whether or not the input parametersto each of the suspicious computer operations have been validated. Ifso, then the downloadable is deemed safe and is forwarded to itsdestination at step 240. Otherwise, the downloadable is deemedsuspicious, an alert is made, and various preventive actions may betaken. One such action, at step 291, is simply not to forward thedownloadable to the destination computer. Another such action, at step292, is to neutralize the input parameters that were not validated, byreplacing them with valid input parameters, and then forwarding theremedied downloadable to the destination computers. Another such action,at step 293, is to consult a computer security policy to determinewhether or not to forward the downloadable to the destination computer,based on the suspicious computer operations that were detected.

It will be appreciated by those skilled in the art that step 260, ofoverwriting suspicious computer operations may be performed either in apre-scan phase, prior to executing the loop around step 270, asindicated in FIG. 2, or instead may be performed in real-time, withinthe loop. Specifically, referring to the example JavaScript codeprovided hereinabove, the structure VulnAcxStruct[ ], defined at lines6-9, which pre-identifies the suspicious computer operations, may beappended to the monitoring code. In turn, the monitoring code overwritesthe pre-identified operations in real-time at lines 29 and 30. In thisregard, reference is now made to FIG. 3, which is an alternative methodfor computer security with input parameter validation, with theoverwriting being performed during run-time, in accordance with anembodiment of the present invention.

FIG. 3 begins at step 310, whereat an original downloadable is receivedin transit to one or more destination computers. At step 350 monitoringprogram code is appended to the original downloadable, to generate amodified downloadable.

Subsequent to step 350 the modified downloadable is executed. At step355 suspicious computer operations are identified at run-time. Step 355may be performed by referencing a structure, such as the VulnAcxStruct[] structure in the example JavaScript, that lists pre-designatedsuspicious computer operations. Alternatively, step 355 may be performedby referencing structure that lists pre-designated safe computernon-malicious computer operations.

At step 360 the suspicious computer operations are overwritten atrun-time. Referring to the example JavaScript, at lines 29 and 30 theobject method

obj[Vuln_Obj_Dict[acxId][0][i][0]]

is overwritten with the function

obj[Vuln_Obj_Dict[acxId][0][i][1]].

Based on lines 15 and 16, this corresponds to overwriting the methodsetRequestHeader( ) of object Msxml2.XMLHTTP with the function in lines7-9; namely,

Function( ) {   allow =[“GET”, “POST”, “HEAD”, “DELETE”, “PUT”,        “CONNECT”, “OPTIONS”];   for (i in allow){     if(arguments[0]==allow[i] return;   }   alert(“malicious!”) }

At step 370 the input parameters for the suspicious computer operationsare validated at run-time. Referring to the JavaScript example, inputparameter validation is performed by the function in lines 7-9. If theinput parameters are validated then the function returns normally;otherwise, the function invokes alert (“malicious!”). Other such methodsto validate input parameters and to issue a notification when inputparameters are not validated, are also within the scope of the presentinvention.

At step 380 a determination is made whether or not the input parametersto each of the suspicious computer operations have been validated. Ifso, then the downloadable is deemed safe and is forwarded to itsdestination at step 340. Otherwise, the downloadable is deemedmalicious, an alert is made, and various preventive actions may betaken. One such action, at step 391, is simply not to forward thedownloadable to the destination computer. Another such action, at step392, is to neutralize the input parameters that were not validated, byreplacing them with valid input parameters, and then forwarding theremedied downloadable to the destination computers. Another such action,at step 393, is to consult a computer security policy to determinewhether or not to forward the downloadable to the destination computer,based on the suspicious computer operations that were detected.

In the foregoing specification, the invention has been described withreference to specific exemplary embodiments thereof. It will, however,be evident that various modifications and changes may be made to thespecific exemplary embodiments without departing from the broader spiritand scope of the invention as set forth in the appended claims.Accordingly, the specification and drawings are to be regarded in anillustrative rather than a restrictive sense.

1. A method for handling suspicious downloadables, comprising: receivinga downloadable; scanning the downloadable to identify suspiciouscomputer operations therein; and if at least one suspicious computeroperation is identified, then: overwriting the suspicious computeroperations with substitute computer operations; and appending monitoringprogram code to the downloadable thereby generating a modifieddownloadable, wherein the monitoring program code includes programinstructions for validating input parameters for the suspicious computeroperations during run-time of the downloadable.
 2. The method of claim1, wherein the substitute computer operations validate their inputparameters, and indicate if their input parameters are not successfullyvalidated.
 3. The method of claim 2, wherein the substitute computeroperations indicate if their input parameters are not successfullyvalidated by invoking an alert.
 4. The method of claim 2, wherein thesubstitute computer operations indicate if their input parameters arenot successfully validated by generating a warning text message.
 5. Themethod of claim 1, wherein the monitoring code further includes programinstructions for replacing invalid input parameters with valid inputparameters in the suspicious computer operations.
 6. The method of claim1, further comprising executing the modified downloadable.
 7. The methodof claim 6, wherein said executing comprises executing the modifieddownloadable in a secure environment.
 8. The method of claim 1, whereinsaid receiving comprises receiving the downloadable in transit to anintended destination computer, the method further comprisingtransmitting the modified downloadable to the destination computer. 9.The method of claim 1, wherein said receiving comprises receiving thedownloadable in transit to an intended destination computer, the methodfurther comprising preventing the downloadable from executing on thedestination computer if said validating fails.
 10. The method of claim1, wherein said receiving comprises receiving the downloadable intransit to an intended destination computer, the method furthercomprising consulting a security policy to determine whether to forwardthe downloadable to the destination computer if said validating fails.11. The method of claim 1, wherein said validating input parameterscomprises comparing actual input parameters to the suspicious computeroperations with at least one descriptor of valid input parameters forthe suspicious computer operations.
 12. The method of claim 1, whereinsaid validating input parameters comprises comparing actual inputparameters to the suspicious computer operations with at least onedescriptor of invalid input parameters for the suspicious computeroperations.
 13. The method of claim 1, wherein said scanning comprisesaccessing a dictionary of suspicious computer operations.
 14. The methodof claim 1, wherein said validating comprises accessing a dictionary ofvalid input parameters.
 15. The method of claim 1, wherein saidvalidating comprises accessing a dictionary of invalid input parameters.16. The method of claim 1, wherein the downloadable is JavaScriptprogram code.
 17. The method of claim 1, wherein the downloadable isVBScript program code.
 18. The method of claim 1, wherein thedownloadable is Flash object compiled program code, the method furthercomprising de-compiling the Flash object compiled program code to derivesource code therefrom.
 19. The method of claim 1, wherein thedownloadable is applet program code, the method further comprisingde-compiling the applet program code to derive source code therefrom.20. A computer security system, comprising: a receiver for receiving adownloadable; a scanner, coupled with said receiver, for scanning thedownloadable to identify suspicious computer operations therein; a codemodifier, coupled with said scanner, for overwriting the suspiciouscomputer operations with substitute computer operations, if at least onesuspicious computer operation is identified by said scanner, and forappending monitoring program code to the downloadable thereby generatinga modified downloadable, if at least one suspicious computer operationis identified by said scanner; and a processor, coupled with said codemodifier, for executing programmed instructions, wherein the monitoringprogram code includes program instructions for said processor tovalidate input parameters for the suspicious computer operations duringrun-time of the downloadable.
 21. The security system of claim 20,wherein the substitute computer operations validate their inputparameters, and indicate if their input parameters are not successfullyvalidated.
 22. The security system of claim 21, wherein the substitutecomputer operations indicate if their input parameters are notsuccessfully validated by invoking an alert.
 23. The security system ofclaim 21, wherein the substitute computer operations indicate if theirinput parameters are not successfully validated by generating a warningtext message.
 24. The security system of claim 20, wherein themonitoring code further includes program instructions for said processorto replace invalid input parameters with valid input parameters in thesuspicious computer operations.
 25. The security system of claim 20,wherein said processor executes the modified downloadable.
 26. Thesecurity system of claim 25, wherein said processor executes themodified downloadable in a secure environment.
 27. The security systemof claim 20, wherein said receiver receives the downloadable in transitto an intended destination computer, the system further comprising atransmitter for transmitting the modified downloadable to thedestination computer.
 28. The security system of claim 20, wherein saidreceiver receives the downloadable in transit to an intended destinationcomputer, and wherein said processor prevents the downloadable fromexecuting on the destination computer if said processor fails tovalidate the input parameters.
 29. The security system of claim 20,wherein said receiver receives the downloadable in transit to anintended destination computer, and wherein said processor consults asecurity policy to determine whether to forward the downloadable to thedestination computer if said validating fails.
 30. The security systemof claim 20, wherein the monitoring program code includes programinstructions for said processor to compare actual input parameters tothe suspicious computer operations with at least one descriptor of validinput parameters for the suspicious computer operations.
 31. Thesecurity system of claim 20, wherein the monitoring program codeincludes program instructions for said processor to compare actual inputparameters to the suspicious computer operations with at least onedescriptor of invalid input parameters for the suspicious computeroperations.
 32. The security system of claim 20, wherein said scanneraccesses a dictionary of suspicious computer operations.
 33. Thesecurity system of claim 20, wherein the monitoring program codeincludes program instructions for said processor to access a dictionaryof valid input parameters.
 34. The security system of claim 20, whereinthe monitoring program code includes program instructions for saidprocessor to access a dictionary of invalid input parameters.
 35. Thesecurity system of claim 20, wherein the downloadable is JavaScriptprogram code.
 36. The security system of claim 20, wherein thedownloadable is VBScript program code.
 37. The security system of claim20, wherein the downloadable is Flash object compiled program code, andwherein said scanner de-compiles the program code to derive source codetherefrom.
 38. The security system of claim 20, wherein the downloadableis applet compiled program code, and wherein said scanner de-compilesthe program code to derive source code therefrom.
 39. A method forhandling suspicious downloadables, comprising: receiving a downloadable;and appending monitoring program code to the downloadable therebygenerating a modified downloadable, wherein the monitoring program codeincludes program instructions: for identifying suspicious computeroperations during run-time of the downloadable; for overwriting thesuspicious computer operations with substitute computer operationsduring run-time of the downloadable; and for validating input parametersfor the suspicious operations during run-time of the downloadable. 40.The method of claim 39, wherein the substitute computer operationsvalidate their input parameters, and indicate if their input parametersare not successfully validated.
 41. The method of claim 39, wherein saididentifying suspicious computer operations comprises comparing computeroperations in the downloadable with a list of pre-designated computeroperations.
 42. The method of claim 39, wherein said receiving comprisesreceiving the downloadable in transit to an intended destinationcomputer, the method further comprising transmitting the modifieddownloadable to the destination computer if said validating issuccessful.
 43. The method of claim 39, wherein the downloadable isJavaScript program code.
 44. The method of claim 39, wherein thedownloadable is VBScript program code.
 45. The method of claim 39,wherein the downloadable is Flash object compiled program code, themethod further comprising de-compiling the Flash object compiled programcode to derive source code therefrom.
 46. The method of claim 39,wherein the downloadable is applet program code, the method furthercomprising de-compiling the applet program code to derive source codetherefrom.
 47. A computer security system, comprising: a receiver forreceiving a downloadable; a code modifier, coupled with said scanner,for appending monitoring program code to the downloadable therebygenerating a modified downloadable; and a processor, coupled with saidcode modifier, for executing programmed instructions, wherein themonitoring program code includes program instructions for saidprocessor: to identify suspicious computer operations during run-time ofthe downloadable; to overwrite the suspicious computer operations withsubstitute computer operations during run-time of the downloadable; andto validate input parameters for the suspicious computer operationsduring run time of the downloadable.
 48. The security system of claim47, wherein the substitute computer operations cause said processor tovalidate their input parameters, and to indicate if their inputparameters are not successfully validated.
 49. The security system ofclaim 47, wherein the monitoring program code further includes programinstructions for said processor to compare computer operations in thedownloadable with a list of pre-designated computer operations.
 50. Thecomputer security system of claim 47, wherein said receiver receives thedownloadable in transit to an intended destination computer, the systemfurther comprising a transmitter for transmitting the modifieddownloadable to the destination computer if said processor successfullyvalidates the input parameters for the suspicious computer operations.51. The computer security system of claim 47, wherein the downloadableis JavaScript program code.
 52. The computer security system of claim47, wherein the downloadable is VBScript program code.
 53. The computersecurity system of claim 47, wherein the downloadable is Flash objectcompiled program code, and further comprising a de-compiler forde-compiling the Flash object compiled program code to derive sourcecode therefrom.
 54. The computer security system of claim 47, whereinthe downloadable is applet program code, and further comprising ade-compiler for de-compiling the applet program code to derive sourcecode therefrom.
 55. A method for handling suspicious downloadables,comprising: scanning a downloadable to detect the presence of at leastone suspicious computer operation; dynamically generating duringrun-time of the downloadable at least one input parameter for the atleast one suspicious computer operation detected by said scanning; anddetermining whether or not the dynamically generated at least one inputparameter corresponds to a safe input parameter for the at least onesuspicious computer operation.
 56. A computer security system,comprising: a scanner for scanning a downloadable to detect the presenceof at least one suspicious computer operation; and a processor thatexecutes programmed instructions: for dynamically generating duringrun-time of the downloadable at least one input parameter for the atleast one suspicious computer operation detected by said scanner; andfor determining whether or not the dynamically generated at least oneinput parameter corresponds to a safe input parameter for the at leastone suspicious computer operation.